Tag Archive for: MacOS

Iranian Hackers’ Sophisticated Malware Targets Windows and macOS Users

/in


Jul 06, 2023Ravie LakshmananEndpoint Security / Malware

Iranian hackers

The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.

“TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho,” Proofpoint said in a new report.

“When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest.”

TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary’s use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).

In the attack sequence discovered by the enterprise security firm in mid-May 2023, the hacking crew sent phishing emails to a nuclear security expert at a U.S.-based think tank focused on foreign affairs that delivered a malicious link to a Google Script macro that would redirect the target to a Dropbox URL hosting a RAR archive.

Windows macOS Malware

Present within the file is an LNK dropper that kicks off a multi-stage procedure to ultimately deploy GorjolEcho, which, in turn, displays a decoy PDF document, while covertly awaiting next-stage payloads from a remote server.

But upon realizing that the target is using an Apple computer, TA453 is said to have tweaked its modus operandi to send a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN application, but in reality, is an AppleScript that reaches out to a remote server to download a Bash script-based backdoor called NokNok.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

NokNok, for its part, fetches as many as four modules that are capable of…

Source…

Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari

/in


Jun 22, 2023Ravie LakshmananVulnerability / Endpoint Security

iOS, macOS, and Safari

Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild.

This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the activity is not known.

  • CVE-2023-32434 – An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.
  • CVE-2023-32435 – A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.

The iPhone maker said it’s aware that the two issues “may have been actively exploited against versions of iOS released before iOS 15.7,” crediting Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin for reporting them.

The advisory comes as the Russian cybersecurity vendor dissected the spyware implant used in the zero-click attack campaign targeting iOS devices via iMessages carrying an attachment embedded with an exploit for the kernel remote code execution (RCE) vulnerability.

The exploit code is also engineered to download additional components to obtain root privileges on the target device, after which the backdoor is deployed in memory and the initial iMessage is deleted to conceal the infection trail.

The sophisticated implant, called TriangleDB, operates solely in the memory, leaving no traces of the activity following a device reboot. It also comes with diverse data collection and tracking capabilities.

Cybersecurity

This includes “interacting with the device’s file system (including file creation, modification, exfiltration, and removal), managing processes (listing and termination), extracting keychain items to gather victim credentials, and monitoring the victim’s geolocation, among others.”

In an attempt to complete the attack puzzle and gather its different moving parts, Kaspersky has released a utility called “triangle_check” that organizations can use to scan iOS device backups and hunt for any signs of…

Source…

This macOS malware can steal your private data, passwords, and credit card info — what we know

/in


While macOS doesn’t have as big of a target on its back for hackers as Windows, it isn’t actually immune from malware and a new threat has emerged for modern Macs.

The aptly named MacStealer malware targets macOS laptops and desktops running macOS Catalina or above. That includes those running Intel, M1, or M2 chips. The goal is to steal a wide variety of data from you including iCloud Keychain data, credit card info, passwords, files, images, and more (via The Hacker News).

How does MacStealer work?

The Uptycs researchers that discovered the malware and covered it in their blog were unable to determine how it is being distributed, but it relies on a DMG (macOS installer file) called weed.dmg, which once triggered will open a password prompt that can then be used to gain access to your data. 

Fake password prompt created by MacStealer malware

(Image credit: Uptycs)

The malware was spotted in online hacking forums earlier this month and its authors intend to expand on its current features to add support for capturing data from the Safari browser and Apple Notes app. It is currently focused on Google Chrome, Mozilla Firefox, Brave browsers, Microsoft Office files, image files, PDFs, archives, and Python scripts. 

How to protect your Mac from MacStealer

Source…

Windows, macOS, and Tesla exploits debuted at Pwn2Own hacking contest

/in


Security researchers have successfully exploited zero-day vulnerabilities found in macOS, Windows, and Tesla software at the Zero Day Initiative’s Pwn2Own conference.  

Day one of the 2023 competition, hosted in Vancouver, saw 12 unique zero-day vulnerabilities exploited in Microsoft SharePoint, Windows 11, Adobe Reader, Oracle VirtualBox, Tesla Gateway, and macOS.  

Abdul Aziz Hariri of security firm Haboob successfully exploited vulnerabilities in Adobe Reader. Hariri used a six-bug chained exploit to escape the Adobe sandbox and circumvent APIs on macOS, earning a $50,000 prize in the process.  

A key talking point on day one of Pwn2Own came when STAR Labs successfully executed a chained exploit against Microsoft SharePoint. The team also hacked Ubuntu Desktop with a previously known vulnerability which saw them scoop a combined prize of $115,000. 

Synacktiv secured a $140,000 prize haul – and a Tesla Model 3 – after hacking Apple’s macOS kernel through an elevation of privilege attack as well as a successful vulnerability exploit of Tesla Gateway. This attack saw the team execute a time-of-check to time-of-use (TOCTOU) attack against the Gateway.

Tesla’s Gateway is a system in its Powerwall product which controls a vehicle’s connection to the grid. The Gateway automatically detects outages and provides a “seamless transition” to backup power in the event of an outage.  

This isn’t the first time Tesla Gateway has been exploited successfully. In 2020, researchers at security firm Rapid7 highlighted security risks due to the Gateway’s connection to the internet.  

Meanwhile, security researcher Marcin Wiazowski used an improper input validation bug to elevate privileges on Windows 11 which saw him secure a $30,000 prize. 

Bien Pham rounded off the first day with a successful exploit against Oracle VirtualBox, earning a prize of $40,000.  

More to come at Pwn2Own 

The annual competition saw $375,000 in prizes awarded over the course of day one, with Justin Childs, head of threat awareness at the Zero Day Initiative, stating that the contest is “well on its way to a million dollars”.  

Last year’s contest saw researchers take home more than $1.1 million in…

Source…